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About this Book and the Library 


The /dentity Manager Staging Guide provides step-by-step procedures to move your Identity 
Management solutions from one stage to subsequent stages. 


Intended Audience 


This book provides information for individuals responsible for understanding administration concepts 
and implementing a secure, distributed administration model. 


Other Information in the Library 


The library provides the following information resources: 


Identity Manager Setup Guide 
Provides overview of Identity Manager and its components. This book also provides detailed 
planning and installation information for Identity Manager. 

Designer Administration Guide 
Provides information about designing, testing, documenting, and deploying Identity Manager 
solutions in a highly productive environment. 

User Application: Administration Guide 


Describes how to administer the Identity Manager User Application. 


User Application: User Guide 


Describes the user interface of the Identity Manager User Application and how you can use the 
features it offers, including identity self-service, the Work Dashboard, role and resource 
management, and compliance management. 

User Application: Design Guide 


Describes how to use the Designer to create User Application components, including how to 
work with the Provisioning view, the directory abstraction layer editor, the provisioning request 
definition editor, the provisioning team editor, and the role catalog. 

Identity Reporting Module Guide 


Describes the Identity Reporting Module for Identity Manager 4.0 and how you can use the 
features it offers, including the Reporting Module user interface and custom report definitions, as 
well as providing installation instructions. 


Analyzer Administration Guide 


Describes how to administer Analyzer for Identity Manager. 


Identity Manager Common Driver Administration Guide 


Provides information about administration tasks that are common to all Identity Manager drivers. 
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Identity Manager Driver Guides 
Provides implementation information about Identity Manager drivers. 
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About NetIQ Corporation 


We are a global, enterprise software company, with a focus on the three persistent challenges in your 


environment: Change, complexity and risk—and how we can help you control them. 


Our Viewpoint 


Adapting to change and managing complexity and risk are nothing new 


In fact, of all the challenges you face, these are perhaps the most prominent variables that deny 
you the control you need to securely measure, monitor, and manage your physical, virtual, and 


cloud computing environments. 


Enabling critical business services, better and faster 


We believe that providing as much control as possible to IT organizations is the only way to 
enable timelier and cost effective delivery of services. Persistent pressures like change and 
complexity will only continue to increase as organizations continue to change and the 
technologies needed to manage them become inherently more complex. 


Our Philosophy 


Selling intelligent solutions, not just software 


In order to provide reliable control, we first make sure we understand the real-world scenarios in 


which IT organizations like yours operate — day in and day out. That's the only way we can 


develop practical, intelligent IT solutions that successfully yield proven, measurable results. And 


that's so much more rewarding than simply selling software. 


Driving your success is our passion 


We place your success at the heart of how we do business. From product inception to 


deployment, we understand that you need IT solutions that work well and integrate seamlessly 
with your existing investments; you need ongoing support and training post-deployment; and you 
need someone that is truly easy to work with — for a change. Ultimately, when you succeed, we 


all succeed. 


Our Solutions 


* Identity & Access Governance 

* Access Management 

* Security Management 

* Systems & Application Management 
* Workload Management 

* Service Management 


About NetlQ Corporation 
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Contacting Sales Support 


For questions about products, pricing, and capabilities, contact your local partner. If you cannot 
contact your partner, contact our Sales Support team. 


Worldwide: www.netiq.com/about netig/officelocations.asp 
United States and Canada: 1-888-323-6768 

Email: info@netig.com 

Web Site: www.netig.com 


Contacting Technical Support 


For specific product issues, contact our Technical Support team. 


Worldwide: www.netig.com/support/contactinfo.asp 
North and South America: 1-713-418-5555 

Europe, Middle East, and Africa: +353 (0) 91-782 677 

Email: support@netig.com 

Web Site: www.netig.com/support 


Contacting Documentation Support 


Our goal is to provide documentation that meets your needs. If you have suggestions for 
improvements, click Add Comment at the bottom of any page in the HTML versions of the 
documentation posted at www.netig.com/documentation. You can also email Documentation- 
Feedback@netiq.com. We value your input and look forward to hearing from you. 


Contacting the Online User Community 


Qmunity, the NetIQ online community, is a collaborative network connecting you to your peers and 
NetIQ experts. By providing more immediate information, useful links to helpful resources, and 
access to NetIQ experts, Qmunity helps ensure you are mastering the knowledge you need to realize 
the full potential of IT investments upon which you rely. For more information, visit http:// 
community.netiq.com. 
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1.1 


Staging Identity Manager Projects 


The information covered in the following sections helps you understand the basic principles of staging 
Identity Manager projects. This chapter includes the following information: 


* Section 1.1, "Understanding Staging,” on page 9 

* Section 1.2, "Scope of Staging Documentation," on page 12 

* Section 1.3, "Staging Use Cases,” on page 12 

* Section 1.4, "Using Designer for Staging Identity Manager Projects," on page 12 
¢ Section 1.5, "Moving Authorizations During Staging,” on page 13 


Understanding Staging 


Software products must be tested before they are deployed in an IT environment. Typically, after all 
customizations are completed in the Development stage, the software products are tested, and then 
moved to the production stage.To avoid risk to your production Identity Manager environment, NetIQ 
Corporation recommends that you deploy your Identity Manager projects in separate stages, 
including the development environment (includes all customizations), the test environment (primarily 
for testing), and the production environment. This process of developing and testing is called 
staging. To be able to get the right feel of how Identity Manager behaves in the actual production 
environment, ensure that there is uniformity across all stages. 


This guide provides step-by-step procedures for staging your Identity Management projects, enabling 
you to more easily move each project from the initial stage to all subsequent stages. The guide helps 
you to reduce complexity in your Identity Manager deployment process by helping you to test your 
Identity Manager project at multiple stages before the project is live. 


Staging Identity Manager Projects 
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Figure 1-1 Staging Identity Manager Projects 
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Staging Identity Manager Projects 
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1.2 


1.3 


1.4 


Figure 1-1 shows a basic representation of the movement of Identity Manager projects across 
different stages. The scale of the projects grows with stages, but the scale of an individual driver does 
not necessarily grow in the same way. 


Scope of Staging Documentation 


This guide does not discuss all possible aspects of the staging process. The guide primarily focuses 
on staging the core components of Identity Manager, particularly the Identity Manager engine and 
drivers. 


The guide does not discuss staging and moving the Identity Manager User Application or any tools 
associated with that component of Identity Manager. The guide also does not discuss staging Identity 
Reporting, if installed. Please refer to the Net/Q Identity Manager - Administrator's Guide to the 
Identity Applications and Administrator Guide to NetIQ Identity Reporting for more information on 
those components. 


Staging Use Cases 


The staging discussion includes the following scenarios. Note that some steps in the staging process 
do not apply to all use cases. 


* New Deployment: New drivers and applications are developed during the development stage 
and are then tested and moved to the test environment. These applications are put together and 
moved to the production environment. 


* Existing Deployment: You already have development, test, and production environments ready 
and you want to move a new policy from the development environment to the production 
environment. 


Using Designer for Staging Identity Manager 
Projects 


Designer is used in Identity Manager project development for developing packages, policies, 
configuration files, and other objects that make up the configuration of a driver. Designer can create 
the Identity Manager components required for running an Identity Manager project and then deploy 
the project on another Identity Manager deployment. 


You can use Designer to segregate the Identity Manager environment into separate packages, that 
can be easily moved from one stage to another. You can use package versioning (for upgrades and 
downgrades) to effectively move your changes from one stage to another. 


Before you begin to use this guide, you should be familiar with Identity Manager and Designer. As you 
create projects, you should have a uniform Identity Vault design across all the states so that common 
objects are available. Some objects are moved automatically by Designer, but others should be 
moved explicitly to make them available in the next stage. See "Preparing for Staging" on page 15 for 
more information. 
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1.5 


Moving Authorizations During Staging 


Moving authorizations across stages is a key issue for an Identity Vault security model. eDirectory 
authorizations are assigned to individual objects or to a collection of objects. These authorizations 
play an important role in the object security because they determine the permission to access the 
object to which they have been assigned. 


eDirectory authorizations can be performed through Access Control Lists (ACLs) or Security 
Equivalences/Exclude Roles. Drivers, jobs, RBEs, and so on should have enough permissions to 
successfully perform the desired operations. See "Preparing for Staging" on page 15 for more 
information. 


Staging Identity Manager Projects 
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2.1 


2.2 


2.3 


Preparing for Staging 


The information covered in the following sections helps you design your Identity Manager projects in 
order to stage them easily. This chapter includes the following information: 

* Section 2.1, "Understanding Packages," on page 15 

* Section 2.2, "Converting Configuration Files to Packages," on page 15 

* Section 2.3, “Prerequisites,” on page 15 

¢ Section 2.4, "Identity Vault Structure," on page 16 

* Section 2.5, "Driver Configuration," on page 16 

* Section 2.6, "Identity Manager Objects," on page 17 

* Section 2.7, "Rights," on page 23 


Understanding Packages 


A package is a container for components of Identity Manager driver content, organized according to 

the functionality you want to provide to a driver. Packages can contain different types of content that 
you can move from one environment to another, allowing you to re-use content in multiple places. It is 
easier to track and commit changes using packages. You can move to newer versions of a package 

while retaining the older ones. Packages also helps you to automate the process of moving content 

change from one environment to another. 


For information about creating custom packages, see "Developing Custom Packages” in the NetIQ 
Designer for Identity Manager Administration Guide. 


Converting Configuration Files to Packages 


Before you begin the staging process, we recommend you convert any configuration files in your 
Identity Manager environment into packages. Packages are more portable than configuration files 
and enable you to move your custom policies and related content independent of the server and 
without overwriting any of the settings required for a particular stage. 


For information about converting configuration files to packages, see Upgrading the Identity Manager 
Drivers in the Net/Q Identity Manager Setup Guide. 


Prerequisites 


Ensure that the following general prerequisites are met before attempting staging: 


* All the stages should have the same version of the eDirectory, Identity Manager, and Identity 
Manager drivers. 


Preparing for Staging 15 


16 


2.4 


2.5 


2.5.1 


2.5.2 


* Designer 4.0 or later is present. 


* All the applications and drivers are fully developed and tested in one stage before moving them 
to the next stage. 


* From your project, gather information about the objects that are not modeled by Designer. For 
more information, see "Objects That Designer Does Not Model" on page 18. 


* Create an LDIF file for all the objects that are not modeled by Designer. Use Designer to import 
the additional objects. 


You should also be aware of the recommended best practices for moving Identity Manager objects 
across stages. For more information about staging best practices, see "Staging Best Practices" on 
page 33. 


Identity Vault Structure 


An Identity Vault is typically a flat eDirectory tree, which consists of several containers for users, 
devices, groups, objects, and so on. Objects are stored in different containers for performance 
reasons. 


Make sure that you are familiar with the basic principles of directory design. A uniform directory 
design simplifies administrative tasks for staging. For more information on directory design, refer to 
"Directory Design for Identity Management Solutions" (http://www.novell.com/coolsolutions/appnote/ 
14533.html). 


Driver Configuration 


You must create a common data model to allow drivers to work together. 


Even though each driver is unique and uses different policies, all drivers use the same guidelines to 
make the driver configuration file consistent. For example, all policies and driver configuration files 
have the same naming conventions and support the same common data module. 


See "Identity Manager Driver Configuration Development Guidelines" (http://www.novell.com/ 
documentation/ncmp10/rk12 architecture/data/bg89kav.html) for guidelines on developing new 
drivers. 


* Section 2.5.1, "Using GCVs in Policies," on page 16 
¢ Section 2.5.2, "Simulation and Staging,” on page 16 


Using GCVs in Policies 


Global Configuration Values (GCV) are global configuration values or constants, not global variables. 
There is no way to change a GCV value at runtime. GCVs are globally accessible to the driver and 
driver set, but not to the tree or network. GCVs can be consumed by all drivers in a driver set or by all 
policies in a driver. For more information on using GCVs, see "Configuring Global Configuration 
Objects" in the NetiQ Designer for Identity Manager Administration Guide. 


Simulation and Staging 


The Policy Simulator allows you to test and debug a single policy or a group of policies contained in a 
policy set or all the policies in a driver or a driver set without implementing the policy in the Identity 
Vault. It also provides a graphical editor to create the XDS Input documents. You can use these 
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2.6 


2.6.1 


features to test the policies without affecting the production environment or the connected system. 
This means that you can essentially use Designer as the first stage in your deployment process by 


developing and then testing your policies through simulation. 


Identity Manager Objects 


Designer provides the ability to develop Identity Manager projects even in offline mode. You can 


easily move your Identity Manager objects from one environment to another. You can also export and 
import projects into a simple configuration file, which can be stored for future use. 


Some Identity Manager objects are not visible in a Designer project, even though they may be 
necessary for your Identity Manager installation. To ensure that you move all necessary objects from 
one stage to another, you should import any objects not modeled in Designer from eDirectory into an 


LDIF container, back up those objects by exporting the LDIF container to an external LDIF file, and 


then import the LDIF file to an LDIF container in the next stage. 


Objects That Designer Models 


You can model the following objects in Designer: 


Object 


Driver Sets 


Drivers 


GCVs on Driver set 
and Drivers 


Policies 
Libraries 


Resource Objects 


Provisioning Objects 


Notification Templates 


Identity Vault 
Schema, Application 
Schema 


Role Based 
Entitlements 


Named Passwords 


Description 


A driver set is a container that holds Identity Manager drivers. Only one driver set 
can be active on a server at a time. As a result, all active drivers must be grouped 
into the same driver set. 


A driver provides the connection between an application and the Identity Vault. 
The driver is the connector that enables data synchronization and sharing 
between systems. 


Global configuration values (GCVs) are settings that are similar to driver 
parameters. GCVs can be specified for an individual driver as well as a driver set. 
If a driver does not have a GCV, the driver inherits the value for that GCV from the 
driver set. 


Policies cover DirXMLScript, Entitlement, and XSLT. 
You need to provide a context if the library is outside the driver set. 


Resource objects are mapping tables, GCV resource, prompts, filter resource, or 
ECMA scripts. The resource objects allow you enhance the functionality of the 
drivers. 


Workflows, roles, resources, teams, etc. 


Notification templates enable you to customize and send e-mail messages that 
users receive when triggers occur. 


Identity Manager allows you to synchronize data between connected systems. 
Entitlements allow you to set up criteria for a person or group that, once met, 
initiate an event to grant or revoke access to business resources within the 
connected system. 
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2.6.2 


Object Description 


Miscellaneous 


Credential Application and Credential Repository 


Objects That Designer Does Not Model 


Object 


Organization (O), Organizational Unit (OU), Domain 
(DC), and Container (CN) 


Users 


Groups 


Password Policies 


Indices 
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Description 


Ensure that these objects are created before deploy 
the project from Designer. 


Import the containers that contain these objects. 
Include the following objects in the O, OU, DC, and CN 
objects: 


+ All objects that are Security Equivalences objects 
for any drivers. 

* Objects that are used in any policies. 

* Objects that are used in any job configurations. 


* Objects that are used in GCVs. 


Ensure that these objects are created before you 
deploy the project from Designer, especially the admin 
users. The list of users can be collected in two different 
ways: 


Import the containers that contain the user objects. 
The following objects must be included in the list: 


* Security Equivalences and Exclude Administrator 
Roles for all the drivers. 


* Static Members on groups and RBE policies. 


* Search identities and Membership Filter on 
Dynamic groups and RBE policies. 


* Users that are used in any policies. 
* Users that are used in any job configurations. 


* Users that are used in GCVs. 


Ensure that the static and dynamic group objects are 
created before deploying them. 


Import the containers that contain the groups. The 
following objects must be included in the list: 


* Groups that are used in any policies. 
* Groups that are used in any job configurations. 


* Groups that are used in GCVs. 


Ensure that the policies are created before deploying 
them. 


Ensure that indices are created before deploying 
them. 


Object Description 


Custom Objects User-defined objects ar not defined in Designer. 
Manually create them before deploying. 


Import the containers that contain the custom objects. 
The following objects must be included in the list: 


* All custom objects that are Security Equivalences 
objects for all the drivers. 


* Custom objects that are used in any policies. 


* Custom objects that are used in any job 
configurations. 


* Custom objects that are used in GCVs. 


Designer 3.5 and later allows you to import objects listed in the above table in LDIF format and then 
deploy them along with other objects that are being deployed. 


NOTE: These objects are not modeled as drivers or driver sets in Designer. They can be modified by 
modifying the LDIF file that contains these objects in Designer. For more information, refer to 
"Importing Objects" on page 20. 
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2.6.3 Importing Objects 


Before copying a staged project, you should import any additional objects not modeled in Designer 
from eDirectory into an LDIF container. For information about objects not modeled in Designer, see 
"Objects That Designer Does Not Model" on page 18. 


1 In Designer, right-click Identity Vault and select Live » Import Additional Objects. 


»« Straighten Connections 
d. i Select Connected Applications 
Distribute 
Align 


Validate 
Team 
Compare With (= Import... 
Replace With © Deploy... 
ER Compare... 


bd Change to eDirectory Tree 
Change to Identity Vault / Meta-Directory Schema 


Gj Add to Group $$ Manage Directory 
Š DS Trace 
iManager 


{@ Manage Vault Schema... 


Document Selection... 
bir Import Objects from LDIF file... 
$E, Import Schema from File... 
fl Import from Configuration File... 
Export to File 
E-Mail Templates 


© Driver Status 

© start All Drivers 
© Stop All Drivers 
(&) Restart All Drivers 


3€ Delete 
Properties 


3» Remove from Context Ctrl+Alt+Shift+Down 
eloper | | 


2 Browse to and select the objects you want to add to the LDIF file. 
Or 
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If you want to select all the objects in a container, select Import sub-containers also in the 
Browse Identity Vault dialog box. 


® Browse Identity Vault 
File 


Select an object: 


S [8] cHIRAG TREE E test 

+) Bs novell E testi 

& fF) Security [Busen name 
EB userii 

admin 
à testay 
8 blr-schirag4 
© blr-schirag4-PS 
ÉsELpaP Server - blr-schirag4 
RELDAP Group - blr-schirag4 
€2 Http Server - blr-schirag4 
9545 Service - blr-schirag4 
r9 DNS AG blr-schirag4.site - blr-schirag4 
9 IP AG 1271.01.01.2 - blr-schirag4 
#9551 CertificateDNS - blr-schirag4 
*r955L CertificateIP - blr-schirag4 
snmp Group - blr-schirag4 
E Chk-Driver Set 


Gi Driver Set 
L Ginriver Set-ayv 


Import sub-containers also 


OU-test.O-novell 


3 Click OK. 


4 Click Continue on the Import Dialog to import all the objects into Designer. These objects are 
stored in the LDIF container. 


NOTE: These objects are retrieved by an LDAP channel. If you are running the LDAP service on 
non-default ports, see "Changing the LDAP Properties" on page 32 for more information. 


5 Repeat Step 1 through Step 4 for all the Identity Vaults in your projects. 


You can edit the LDIF objects from the LDIF container. Go to the Outline View, expand the Identity 
Vault, then double-click the LDIF container. 


The objects in the LDIF container are overwritten. To keep a record of the objects stored in the LDIF 
container, export the information of the LDIF container into an LDIF file. For more information about 
exporting LDIF objects to an LDIF file, see "Exporting LDIF Container Objects to an LDIF File" on 
page 22. 


IMPORTANT: You should back up your project by using a version control system or export it to a file. 
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2.6.4 


2.6.5 


2.6.6 


2.6.7 


Exporting LDIF Container Objects to an LDIF File 


To back up the objects currently stored in the LDIF container in your project, you can export those 
objects and store them in the LDIF file. 
1 In the Modeler, select Identity Vault > Live > Export to File > Additional Objects. 


2 In the window displayed, specify the name of the file into which objects stored in the LDIF 
container should be exported, then click Save or OK. The following window is displayed in a 
Windows environment. 


If there is no information in the LDIF container, a warning is displayed. 
3 If prompted, click OK. 


Importing Objects from an LDIF File into an LDIF Container 


You can import objects from an LDIF file to an LDIF container. This overwrites the existing objects in 
the LDIF container. 
1 In the Modeler, right-click the Identity Vault and select Import Objects from LDIF File. 


2 In the window displayed, select the file from which the LDIF objects should be imported, then 
click Open or OK. 


3 If prompted, click OK. 


Deploying Additional Objects into eDirectory 


Designer allows you to update objects that are already present in eDirectory. However, the current 
functionality does not support the deployment of forward references. To deploy these objects, you can 
either manually create the forward references in eDirectory or remove the references in the LDIF 
container. For more information about modifying LDIF container data, see "Editing the LDIF Container 
Data by Using an Editor" on page 22. 


Designer allows you to update objects that are in eDirectory. 


1 In the Modeler, select Identity Vault » Live » Deploy Additional Objects. 
2 Select or deselect the objects by clicking the Select All icon, then click Deploy. 
If the objects are already present in eDirectory, a warning is displayed. 


3 If the objects are already in eDirectory, click Update Existing Objects in eDirectory to update 
them, click Deploy, then click OK. 


If there are no objects or the information is not in a proper format in the LDIF container, a warning 
is displayed. 


Editing the LDIF Container Data by Using an Editor 


Designer allows you to modify the LDIF objects by using different editors. Under the Identity Vault in 
the Outline view, right-click the LDIF container and select Open With > Designer Built-in Editor. You 
can also double-click the LDIF container to open the container. 


You can then use the built-in editor to modify the LDIF data stored in the container. 
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2.6.8 


2.1 


2.1.1 


2.1.2 


Deleting the LDIF Container 


Designer allows you to delete the LDIF container. Under the Identity Vault in the Outline view, right- 
click the LDIF container and select Delete. 


Rights 


* Section 2.7.1, "Driver Equivalences," on page 23 
¢ Section 2.7.2, "Roles Based Entitlements Policies," on page 23 


* Section 2.7.3, “Jobs,” on page 24 


Driver Equivalences 


Designer allows you to define and deploy the Security Equivalences objects for the drivers in 
eDirectory. 


Security Equivalences require rights to the objects within the Identity Vault in order to perform tasks 
on them. For example, an Oracle™ database driver has a policy to create a user in the Identity Vault 
in a container every time a user is created in the database, but the driver doesn't have enough 
permissions on the container to create the user, so the process fails. The driver has similar rights as 
that of the users/objects who have permissions on the container. All the policies should be carefully 
evaluated for finding out what permissions should be given to the drivers. 


Designer 3.5 and later can store the Security Equivalences and Exclude Administrative Roles of the 
drivers in the project and can assign them to the drivers. Before moving to another staging 
environment, ensure that you know the Security Equivalences and Exclude Administrative Roles 
associated with each driver and ensure that these objects are imported as LDIF objects and moved 
along with other objects before being assigned in the next stage after deployment. 


If the Security Equivalences object and the Exclude Administrative Roles objects are stored as LDIF 
objects, Designer ensures that they are created in the next stage before they are assigned. 


For more information about Security Equivalence, see “Establishing a Security Equivalent User” in 
the NetIQ Identity Manager Security Guide. 


Roles Based Entitlements Policies 


Roles Based Entitlements policies are used by the Entitlements Service driver, which grants 
entitlements to and revokes entitlements from the users. 


An entitlement policy contains the following: 


Membership: The list of users assigned to a policy. A user can be dynamically assigned to a policy 
when he or she meets the criteria for the policy, or the user can be statically (manually) assigned to 
the policy. 


Entitlements: The list of entitlements associated with the policy. Users assigned to the policy receive 
all of the entitlements associated with the policy. If the user is removed from the policy, he or she 
loses all entitlements associated with the policy. 


You can assign any Identity Vault objects for which you want the entitlement policy to be a trustee. 
Each member of the policy becomes a trustee of the objects you add. 


Preparing for Staging 23 


24 


2.1.3 


There are several reasons why you might want to make the policy a trustee of an object: 


* One of the policy's entitlements requires the policy's members to have rights to an object. 


* You want to use the policy to assign users as trustees of an object even though rights to the 
object are not required for an entitlement. In this case, you are using the entitlement policy to 
grant and revoke trustee rights for members of the policy. 


These rights are not stored in Designer. You should assign the rights after moving to the next stage. 


Jobs 


Identity Manager has a job scheduling utility that schedules events, such as setting the system to 
disable an account on a specific day, or initiating a workflow to request an extension for a person to 
access a corporate resource. The Job Manager runs on every Identity Manager server in the 
background. Based on the job definition, it checks every minute to see if a job needs to run. When it 
encounters a job, it runs the appropriate Job implementation. 


The Job Manager needs appropriate permissions to run successfully. For example, a job that 
disables a user account from the Identity Vault needs adequate permissions. Appropriate access 
must be granted to the job object in the Identity Vault so that it can modify a user object. Use 
iManager to grant the required rights for the jobs because Designer does not allow you to grant rights 
for jobs. 
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Staging Identity Manager Projects 


This chapter contains the following information: 


* Section 3.1, "Staging a Project for the First Time," on page 25 

¢ Section 3.2, "Staging Changes in an Existing Project," on page 29 

¢ Section 3.3, “Copying Java Class .jar Files Between Stages,” on page 30 
¢ Section 3.4, "Post-Staging Tasks,” on page 30 

¢ Section 3.5, "Changing the LDAP Properties," on page 32 


3.1 Staging a Project for the First Time 


You should ensure that all the applications and Identity Manager systems are up and running in the 
next stage before moving the configurations. You can stage projects using either packages or 
configuration files, as necessary in your environment. 

* Section 3.1.1, "Staging Using Packages," on page 25 

* Section 3.1.2, "Staging Using Configuration Files," on page 25 

* Section 3.1.3, "First-Time Staging Process," on page 26 


3.11 Staging Using Packages 


The simplest, most efficient way to stage your Identity Manager project is by using the package 
functionality included in Identity Manager 4.0 and later. 


We recommend using this approach because unlike configuration files, packages are configured to 
keep server-specific settings separate from the actual Identity Manager content. You move all your 
policies from one stage to the next, not your server configurations. 


For more information about converting configuration files to packages, see Converting Configuration 
Files to Packages in this guide and Upgrading the Identity Manager Drivers in the NetIQ Identity 
Manager Setup Guide. 


3.12 Staging Using Configuration Files 


If you have Identity Manager 3.6, you may need to perform the staging process using configuration 
files. Because of the difficulty inherent in updating configuration files, we do not recommend using 
this process but instead you should convert your existing configuration files to packages. 


For more information about converting configuration files to packages, see Converting Configuration 
Files to Packages in this guide and Upgrading the Identity Manager Drivers in the NetIQ Identity 
Manager Setup Guide. 
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To stage an Identity Manager project for the first time, complete the following steps: 


1 


Import any additional objects not modeled in Designer from eDirectory into an LDIF container. 
For more information on importing additional objects, see "Importing Objects" on page 20. 


Compare and import any schema changes from the Identity Vault (eDirectory) to the schema in 
Designer: 


2a Right-click ID Vault > Live > Schema > Compare. 
2b In the Information pane, select Update Designer. 
2c Click Reconcile. 

2d Click OK. 


(Optional) If you want to keep a backup of your first-stage project, you can export the existing 
project to an archive file: 


3a Right-click the first-stage project and select Export Project. 

3b Select the project you want to export. 

3c Click Browse and specify the name of the archive file you want to use, then click OK. 
3d Click Finish. 

3e Click OK. 

Copy the first-stage project to reuse it in the next stage: 

4a In Designer, go to Window »Show View » Project. 

4b Right-click the first-stage project and select Copy Project. 


4c Enter the name for the second-stage project. We recommend you use a name that clearly 
indicates the project is used for the second stage of the staging process. 


4d Click OK. 


(Optional) After copying the existing first-stage project, you may want to rename the project to 
specify that the project is for the first stage. Complete the following steps to rename the first- 
stage project: 

5a In the project view in Designer, right-click the first stage project and select Rename. 


5b Specify a new name for the project and click OK. 


6 In the project view, expand the second-stage project and double-click System Model. 


7 Change the configuration of one of the Identity Vaults in your project. 


7a Inthe Outline view or the Modeler, double-click the ID Vault. 


7b In the Configuration page, change the Hostname, Admin Username, and Admin Password 
settings to match those of the Identity Vault you want to use for the second-stage project. 


7c Click Test Connection to check the connectivity, then click OK. 
7d If necessary, add more servers and associate those servers with the driver set. 


(Optional) If your second-stage project uses one or more different connected systems, change 
the configuration of the connected system or systems of the second-stage Identity Vault. To 
change the system configuration, complete the following steps: 


8a In the Modeler, double-click a driver or a driver line. 


8b In the Driver Configuration page, change the authentication information in the 
Authentication tab. 
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8c In the Driver properties page, change the driver related information in the Driver Parameters 
tab. 


8d The driver parameters depend on the servers on which the drivers reside. Ensure that you 
change the driver parameters on multiple servers if you have multiple servers running a 
driver. 


(Optional) If your second-stage project uses a different connected system or different 
configuration settings for provisioning, change the GCVs for the drivers and driver sets of the 
second-stage Identity Vault as necessary. 


GCVs should be the only changes that you make on the drivers and the driver set along with the 
configuration. Your policies won't change if they are properly designed. 


9a Update all the GCVs that change with the environment, as necessary. 
9b Move or add new GCVs to any new servers added in Step 7d. 

To ensure the integrity of your project, run the Project Checker: 

10a Click Window > Show View > Project Checker. 


10b In the Project Checker view, click the Run the Project Checker icon Oo. 


10c Review the results and correct any issues. For more information about using the Project 
Checker, see “Checking Your Projects” in the NetIQ Designer for Identity Manager 
Administration Guide. 


Compare and import any schema changes from Designer into the second-stage the Identity 
Vault (eDirectory): 


Compare the schema in Designer with the eDirectory schema and deploy: 
11a Right-click ID Vault > Live > Schema > Compare. 

11b In the Information pane, select Update eDirectory. 

11c Click Reconcile. 

14d Click OK. 


In the Modeler, right-click the Identity Vault and select Live » Deploy Additional Objects to 
deploy additional objects gathered in the Prerequisites. 
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veloper 


<2 Undo Change Location 
New 


eee Straighten Connections 

(1 Select Connected Applications 
Distribute 
Align 


Validate 

Team 
Compare With 
Replace With 


b d Change to eDirectory Tree 
Change to Identity Vault / Meta-Directory 
c Add to Group 


{@ Manage Vault Schema... 


Document Selection... 
For Import Objects from LDIF file... 
17i Import Schema from File... 
(| Import from Configuration File... 
Export to File 
E-Mail Templates 


3€ Delete 


Properties 


62M of 254M | 2 Remove from Context 


Ctrl+Alt+Shift+Down 


13 To deploy the Identity Vault, right-click ID Vault > Live > Deploy. 


See Section 2.7, “Rights,” on page 23 for more information. 
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b 
(= Import... 


& Deploy... 
Sq Compare... 


Schema 


ot Manage Directory 
2 0S Trace 
iManager 


© Driver Status 

© Start All Drivers 
© Stop All Drivers 
@ Restart All Drivers 


SF Import Additional Objects... 


14 Deploy the appropriate Security Equivalences and Exclude Admin Roles objects for each driver. 


3.2 


® Deploy - Security Equivalences 


| Driver Driver Set — Identity Vault 
Active Directory — TestSet Identity Vault 


Security Equivalences: 


[s i EU 


15 Repeat Step 7 through Step 14 for each Identity Vault in your project. 


Staging Changes in an Existing Project 


After you have staged an Identity Manager project using packages, you can move the changes from 
the current stage to the subsequent stages. 


IMPORTANT: NetIQ recommends that you must not use the configuration files to move changes 
from one stage to another, because any customizations you have made can be overwritten. Instead, 
convert your existing configuration files into packages. 


For more information about converting configuration files to packages, see "Converting Configuration 
Files to Packages" on page 15. 


1 Right-click the package and select New Package Version. 
2 In the New Version window, increment the patch-level version number by 1, then click Next. 


3 Click Next to confirm the existing package information, then click Finish. Designer creates a new 
version of the change package with an incremented version number and new date stamp. 


4 In Designer, make any changes or customizations to your driver to a single package in your first- 
stage project. You can then test those changes in a non-production environment before moving 
any customizations to a subsequent stage for production use. 


5 |f you modify any policies, entitlements, or prompts on the first-stage driver, right-click each 
object in the Outline view and select Sync to Package. 


NOTE: Any changes not synced to the change package will not be moved to the next stage. 


6 When finished making changes, navigate to the change package in the Package Catalog. 
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3.3 


3.4 


7 Right-click the new version of the change package and select Build. 
8 Right-click the package and click Build Release. 
This releases the version with a timestamp to avoid versioning issues. 

9 Click Browse, then browse to and select the directory where you want to build the package. 
10 Click OK. 
11 Review the summary information, then click OK. 
12 In the Project view, open your second-stage project. 
13 In the Outline view, right-click Package Catalog and select Import Package. 


14 Click Browse, then browse to and select the .jar file for the first-stage package you built and click 
OK. 


15 Click OK to import the selected package. 


16 Review the import message, then click OK. 


Copying Java Class .jar Files Between Stages 


If you use any custom Java-based functionality in your Identity Manager policies, you must ensure 
you move that functionality from one stage to the next. Designer does not automatically move this 
functionality between stages. 


To move this functionality, you must use SCP or FTP to manually copy each related Java class, 
stored in a .jar file, from the first-stage IDM server to the second-stage IDM server. Note that this 
process takes place outside of Designer and requires moving the actual files from one computer to 
another, rather than from one project to another. 


Identity Manager typically stores Java classes in the following directory: 
/opt/novell/edirectory/lib/dirxml/classes 


However, in some environments, Java classes may be stored in a different Java classpath. To 
determine if your driver set uses a different Java classpath, complete the following steps: 
1 Right-click the driver set in the Designer Modeler and select Properties. 


2 Click Java. Designer displays any additional Java classpath locations in the Classpath additions 
field. 


Post-Staging Tasks 


Designer does not move all the configurations to the next stage. Users are expected to manually 
perform a few tasks to ensure that the configurations work properly. 


* Security Equivalences and Exclude Admin Roles: Check whether all the drivers have 
appropriate Security Equivalences and Exclude Admin Roles objects, as defined in the previous 
stage. For more information, see "Driver Equivalences" on page 23. 


* eDir2eDir Driver Certificates: If you have eDir2eDir driver certificates created in the current 
stage, ensure that these certificates are created in the next stage. 


1. In Designer, right-click the eDir2eDir driver link and select Secure Connection Settings. 
2. Click Enable SSL/TLS, select the required options, then click OK. 
3. Right-click the eDir2eDir driver link, then click Live » Create eDir-to-eDir Certificates. 
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* Java Environment Parameters: The Java* environment parameters enable you to configure 


the Java Virtual Machine™ (JVM) on the Metadirectory server associated with the driver set. You 


might need to change the Java classpath options if the .jar files your Metadirectory server is 


looking for reside at a different place in the new stage. To change the location, go to DriverSet > 


Properties » Java » Classpath additions and provide the correct classpaths. When you enter 


multiple classpaths, separate them with a semi colon (;) for a Windows JVM and a colon (:) for a 
UNIX* or Linux* JVM. Deploy the driver set if you make any changes. 


* Indexes: Make sure that all the customized indexes from the previous stage have been copied 


to the new stage. eDirectory uses these indexes to significantly improve the query performance. 
Some indexes are shipped with eDirectory. These default indexes are for the following attributes: 


* 


* 


* 


* 


* 


CN 

Aliased Object Name 
dc 

Obituary 

Given Name 
Member 

Surname 

Reference 

uniquelD 

Equivalent to Me 
GUID 

NLS: Common Certificate 
cn SS 

Revision 
uniquelD SS 
extensionInfo 
IdapAttributeList 
IdapClassList 


You can visit each Identity Vault server and collect the customized index information by doing the 
following: 


1. 


2. Click eDirectory Maintenance > Indexes. 


3. Select a server from the list of available servers. 


In NetIQ iManager, click the Roles and Tasks tab. 


iManager lists all the active and offline indexes on the selected server. 


Make a note of all the customized indexes. 


Ensure that you add these indexes to the corresponding servers in the next stage. See 
“Index Manager” (https://www.netiq.com/documentation/edirectory-9/edir admin/data/ 


adtuuu5.html) in the NetlQ eDirectory Administration Guide (https://www.netiq.com/ 
documentation/edirectory-9/edir_admin/data/bookinfo.html) for more information on 


creating, adding, or deleting indexes. 


* Password Policies: Ensure that password policies assigned to the containers, users, groups in 
the previous stage are assigned again in the current stage. 


Staging Identity Manager Projects 


31 


* Challenge Response Objects: In addition to password policies, ensure that you migrate or 
recreate any challenge response objects used in the previous stage in the current stage. You can 
either import your existing challenge response objects into the LDIF container in the first-stage 
project or note the details of the challenge response objects in the first-stage project and create 
new objects in the next stage. 


For information importing objects into the LDIF container, see "Importing Objects" on page 20. 


* Restarting All Drivers: Start the drivers after moving the driver configuration to the next stage. 
In the Modeler, right-click each driver and select Driver > Start Driver. 


35 Changing the LDAP Properties 


You can modify non-default LDAP properties by using the Properties view of the Identity Vault. This is 
used for importing and deploying objects. 


1 Under the Properties view, click ID Vault, then specify the LDAP clear text port and LDAP secure 
port numbers. 


Li Properties Z3 La Dataflow | (P. Policy Set 


Property Value 


& 1. Identity ¥ault || 


Mame Identity vault 2 
Host Address 164,93,136,134 
User Name admin. novell 
Password ee 


Context 
dap Clear TextPort 
IdapSecurePort 


usel DAPSecurechannel 
[=| 2. Administrator 

Mame 

Cell 

Department 

E-mail 

Fax 

Location 

Motes 

Pager 

Phone 

Title 


2 Save the project. 
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4 Staging Best Practices 


* |f you delete drivers and driver sets from Stage 2 in order to deploy the drivers from Stage 1, you 
can lose the associations. 


* We recommend you use the same Designer workspace for all stage projects. 
* Don't deploy Stage 1 objects directly into the Stage 2 environment. 


+ When performing the staging process, ensure you store server-specific settings as GCVs. If 
using packages, you can then leave those GCVs behind when you change stages. However, if 
using configuration files, you need to copy the GCVs from one stage to the next so they do not 
get overwritten. 


* When creating new GCVs for staging, ensure you add those GCVs at the driver set level. 


+ Before moving to any stage, understand the existing stage and the objects that Designer does 
not automatically bring in (see "Objects That Designer Does Not Model" on page 18) for the next 
stage. 


Ensure that you know which objects are required in the subsequent stages. Consolidate these 
objects in the LDIF file. 


* You can store any eDirectory objects not modeled in Designer as a DS object in your first-stage 
project and add that object to a package so that you can move the DS object to the second- 
stage. 


* Ensure that you assign the Security Equivalences, Trustees, and Server Certificates of Stage 1 
in Stage 2 after deployment. 


* LDIF files that contain additional objects should be stored locally. You can use the Import 
Convert Export (ICE) utility to deploy these objects in any stage. 


* Foranew deployment in Stage 2, ensure that LDIF objects are deployed before importing the 
configuration file or the project file. 


* For an existing deployment in Stage 2, ensure that you compare the existing project with the 
Stage 1 configuration, deploy the necessary LDIF objects, then import the configuration file. 


* Ensure that objects are up-to-date when you import them into the LDIF file. 
Always import the additional objects into Stage 1 before moving to Stage 2. 


* Export the additional objects of Stage 1 into an LDIF file before moving to Stage 2 so that these 
objects can be manually created in Stage 2 before deployment. 


* Rather than directly modifying your filters, we recommend you create a filter object in your first- 
stage project, add that filter object to a package, and then install the package on a driver in your 
first-stage project. Using the package, you can then easily move any changes to the filter to the 
next stage. 
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